abstract image
Blog Events

Vegas or Bust: A First-timer’s Review of Black Hat and DEFCON

Instructions for living a life:

Pay attention.

Be astonished.

Tell about it.

~Mary Oliver, Poet

The Road To Black Hat

I was not, in fact, prepared for Las Vegas.

I don’t know if one can be prepared for Las Vegas. But due to various circumstances of fate and character the town hit me like a sensory sandstorm. My previous experiences with cities did not provide me with the proper grounding for a place like Las Vegas.

The whole sordid business began four days previous when Chief Architect Ben April pinged me and asked nonchalantly, “Any interest in/availability for BlackHat or DEFCON?” And so I stared at Slack for a few minutes, mouth hanging open (Slack-jawed?), the Friday before Hacker Summer Camp. My enthusiastic “hell yes” response set me on course for a whirlwind Tuesday afternoon landing, and the fulfillment of two very large items on my Bucket List for over a decade.

Going into this my only knowledge of Las Vegas consisted of Hunter S. Thompson’s legendary book “Fear & Loathing in Las Vegas” – which I’ve always considered to have Tom Waits-level embellishments across its entirety. I tempered my expectations on the premise that Thompson consistently exaggerated the city’s features for creative and entertaining reasons.  Then we landed, and five steps from my terminal gate sat a cluster of spotless slot machines, like a shining choir of heralds welcoming my arrival to this surreal land. 

So began my adventure in earnest.

My room on floor twelve of the Luxor Hotel & Casino offered a fantastic view of the city, including a skyscraper-tall LED billboard on the side of a building several miles away. Having checked into my hotel, a pyramid on the strip large enough that it contains an actual castle within it, I freshened up and made my way to our rocking party at the Minus 5 Ice Bar. And the Minus 5 Ice Bar does right what it says on the box – you’re handed a winter coat and drink tickets and shuffled into a frozen room constructed of ice, including sculptures, furniture, and cocktail glasses. As a New Englander I felt right at home! We moved from there to a Prohibition-themed bar, and partied the first night away.

It Begins: Black Hat

Anyone that knows me knows I’m a security geek. I lived and breathed information security before I was even in technology proper, watching hacker talks during downtime in my previous career or my offtime. I’m also a sucker for a good hackercon, where I feel among My People (especially BSides conferences, which I’ve long loved, and Wild West Hackin’ Fest – Way West earlier this year). So BlackHat and DEFCON have long held a place in my heart, and suddenly I found myself there!

Registration consisted of one of the most seamless processes I’ve ever been through, with a ton of green-shirted volunteers directing folks politely forward, and one of the only QR code use cases that didn’t make me grumble under my breath. The Chris Krebs keynote was characteristically great and set the tone for the rest of the conference.

It’s worth ensuring readers have the minimum viable background here: both BlackHat and DEFCON are information security conferences, but BlackHat is more industry-focused while DEFCON continues to be more centered around the hacker community itself. So we get to ease into the security context and then let loose a bit afterwards. 

My Wednesday moved from the keynote to a talk on harm reduction in security guidance, and then an excellent talk by Dr. Sandra Quincoses on government-linked cyber actors in election disinformation. The former had me taking notes on soft-skill approaches to provide more qualitative outcomes in working with users. The latter provided a fascinating narrative of tracking Venezuelan-linked actors influencing the recent Colombian election, complete with telltale indicators to look for in the future. After lunch I caught most of Stacy Thayer’s talk on burnout before Juan Andres Guerrero-Saade and Tom Hegel’s talk on findings related to the Russian invasion of Ukraine.

Thursday saw a great opening keynote by journalist Kim Zetter. From there it was an easy choice to hit Luta Security CEO Katie Moussouris’ talk on Bug Bounty systems, and great thoughts on fixing labor issues in the larger security sphere. Another highlight of my Thursday was the talk on job-themed APT social engineering by Sveva Vittoria Scenarelli and Allison Wikoff, a deep energetic dive with fantastic human and technical indicators that I started looking for as soon as I got home. 

The icing on the cake, though, came in the form of the 8th Annual BlackHat USA NOC Report by Neil Wyler and Bart Stump. The openness, transparency, humor, and humility with which they delivered the talk  enlightened and entertained me to no end, including anecdotes about accidentally putting Registration on the same network switch as the NOC and then accidentally crashing Registration with a massive amount of traffic. Black Hat locates its Network Operations Center on the conference floor and allows nosy geeks like me to watch from outside during the con and it proved to be a favorite place to repeatedly stroll through and watch things unfold, and their closing talk proved to be no less fascinating and full of great data points.

Black Hat lived up to and exceeded my expectations, especially for an industry-focused conference. Watching folks come together, give talks, take notes, have coffee and chat animatedly, and soak up knowledge energized me for the next adventure: DEFCON.

Pool’s On The Roof

So it’s Friday morning and I just attended the legendary LineCon – walk-up registration for DEFCON. Paid cash like the paranoiac I am and sat in the chair area in a mostly-empty Caesars’ Forum lobby wondering what the next few days would look like. Isuddenly found my introvert self in conversation with two total strangers – a computer science professor and an applied security practitioner and teacher – sharing perspective and experience in a wild and evolving and free-ranging way that typified what my DEFCON experience would be. Despite our respective technical backgrounds each branch of our conversation came back to the human, the human, the human, in affirming and humbling ways.

There’s a healthy overlap between Black Hat and DEFCON, but whereas Black Hat is smaller, more quietly polished and industry-oriented, DEFCON bays at the moon unapologetically. To quote anthropologist and professor Gabriella Coleman’s book Coding Freedom: The Ethics and Aesthetics of Hacking, “The world of hacking, as is the case with many cultural worlds, is one of reckless blossoming,” or in the words of Rilke: “Everything is blooming most recklessly; if it were voices instead of colors, there would be an unbelievable shrieking into the heart of the night.”

DEFCON leans into this, blossoming across multiple hotels with villages organized by topic, such as aerospace, defense (blue team) and offense (red team/adversary), lockpicking, packet capture, voting systems, industrial control systems, and more, in addition to several main talk tracks. With attendance of about thirty thousand people, that empty Caesars Forum lobby quickly became jam-packed with enthusiasts of all sorts ready to learn, share, and exult.

As a result, DEFCON is a little harder to quantify than Black Hat. From Friday morning onward the time just seemed to up and run away from me in a way it did not earlier in the week. I do have some favorite takeaways, though – the Misinformation Village was a fun romp for me, the Blue Team Village deeply helpful, and the Packet Capture Village an intense experience in both a sensory and a learning way. The latter proffered a series of stations progressively moving through packet capture skills and exercises in a well-organized and fun way among dozens of other people accompanied by thick and funky DJ sets and light shows, and was a blast. DEFCON also sported a Policy Village with some great talks this year, including DOJ officials, and as someone who previously worked tech in the halls of Congress, the policy discussion was a must-see for me.

Banging away on a keyboard in the Packet Capture Village or watching lawyers try to casually not look like lawyers in the line for Policy talks appealed, but the conversations were even more fun. From that inaugural conversation with the professor and the practitioner outside Registration, to the linux hobbyist who chatted me up in the Chill Room, to the table I shared feeling their way through their first lockpicking experience in the LockPicking Village, connecting with folks outshined everything else and made DEFCON burst past any previous hopes into an experience that I genuinely treasure with a poet’s wonder: tens of thousands of people getting together to pay attention, be astonished, and tell about it.